Interoperability with Oracle Service Bus 10g Security Environments 6-15
– Active Types: X.509
– Use Default User Name Mapper: True
2.
If the users are not added, add the Common Name CN user specified in the certificate as described in Create users in Oracle Fusion Middleware Oracle
WebLogic Server Administration Console Help.
3.
Restart Oracle WebLogic Server.
6.5.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service
To configure Oracle Service Bus 10g client and Oracle WSM 11g Web service, perform the steps described in the following sections:
■
Configuring Oracle WSM 11g Web Service on page 6-15
■
Configuring Oracle Service Bus 10g Client on page 6-15
6.5.1.1 Configuring Oracle WSM 11g Web Service
1.
Create and deploy a SOA composite.
2.
Create a copy of the following policy: wss10_x509_token_with_message_ protection_service_policy.
Edit the policy settings, as follows:
a.
Set Encryption Key Reference Mechanism to issuerserial.
b.
Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.
For more information, see Creating a Web Service Policy from an Existing Policy in Oracle Fusion Middleware Security and Administrators Guide for Web Services.
3.
Attach the policy to the Web service. For more information about attaching the policy, see Attaching Policies to Web
Services in Oracle Fusion Middleware Security and Administrators Guide for Web Services.
6.5.1.2 Configuring Oracle Service Bus 10g Client
1. Create an Oracle Service Bus business service.
2. Create a copy of the Encrypt.xml and Sign.xml policy files.
For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.
3. Attach the X.509 policy to the Oracle Service Bus business service request.
wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy
xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:s0=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-ut
ility-1.0.xsd
Note: Oracle recommends that you do not change the predefined
policies so that you will always have a known set of valid policies to work with.
6-16 Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager
s0:Id=X509Auth wssp:Identity xmlns:wssp=http:www.bea.comwls90securitypolicy
wssp:SupportedTokens wssp:SecurityToken
TokenType=http:docs.oasis-open.orgwss200401oasis-200401-wss-x509-token-p rofile-1.0X509v3
wssp:SupportedTokens wssp:Identity
wsp:Policy
4. Attach the Sign.xml policy file to the Oracle Service Bus business service request.
5.
Edit the myEncrypt.xml policy and attach it to the Oracle Service Bus business service request.
?xml version=1.0? wsp:Policy
xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy
xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-u tility-1.0.xsd
xmlns:wls=http:www.bea.comwls90securitypolicywseepart wsu:Id=X509Encrypt
wssp:Confidentiality wssp:KeyWrappingAlgorithm URI=http:www.w3.org200104xmlencrsa-1_5
wssp:Target wssp:EncryptionAlgorithm
URI=http:www.w3.org200104xmlencaes128-cbc wssp:MessageParts
Dialect=http:schemas.xmlsoap.org200212wssepartwsp:Bodywssp:Message Parts
wssp:Target wssp:KeyInfo
wssp:Confidentiality wsp:Policy
6.
Edit the mySign.xml policy file attached to the Oracle Service Bus business service response
to specify that the security token is unsigned:
wssp:Integrity SignToken=false
Also, for SOA clients only, comment out the target for system headers, as shown: ?xml version=1.0?
wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy
xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-
utility-1.0.xsd xmlns:wls=http:www.bea.comwls90securitypolicywseepart
wsu:Id=X509Sign wssp:Integrity SignToken=false
wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsigrsa-sha1 wssp:CanonicalizationAlgorithm
URI=http:www.w3.org200110xml-exc-c14n --wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders
Interoperability with Oracle Service Bus 10g Security Environments 6-17
wssp:MessageParts wssp:Target--
wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1
wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart
wls:SecurityHeaderwsu:Timestamp wssp:MessageParts
wssp:Target wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Body
wssp:MessageParts wssp:Target
wssp:Integrity wssp:MessageAge
wsp:Policy
7.
Attach the myEncrypt.xml policy file from Step 6 to the Oracle Service Bus business service response.
8.
Create a ServiceKeyProvider.
9.
Specify Encryption Key and Digital Signature Key, as required. You must use different keys on the Oracle WSM and Oracle Service Bus servers.
You can use the same key for encryption and signing, if desired.
10.
Create a proxy service, and create a route to the business service.
On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client certificate to SOA.
11.
Run the proxy service from the Oracle Service Bus console.
6.5.2 Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service